Many modern electronic devices, such as mobile phones, cable boxes and other set-top boxes, cable modems, and other devices, are computing devices that perform operations based on software and/or firmware loaded on the device. To prevent malicious code from being run on such devices, authorized code is often digitally signed and/or encrypted before it is loaded onto devices. The devices can be configured to reject code that is not properly signed and/or encrypted, with the goal that only legitimate and authorized code can be loaded and run on the devices.
Code that has been developed and is intended to be loaded onto a device can initially be unsigned and unencrypted. To sign and/or encrypt the code such that it can be loaded onto the device, the code can be submitted to a separate security component, such as a component comprising a Hardware Security Module (HSM). The security component can then perform cryptographic operations, such as code signing and encryption, using digital signatures and/or keys stored at the security component. For example, a software developer who has written code for a device can submit the initially unsigned code to a dedicated code signing server that is configured to sign and/or encrypt the code using digital signatures and/or encryption keys stored at the server. The signed code can then be incorporated into the device.
In some situations it can be desirable to store final signed code images at a software repository instead of directly returning them to developers or other users who initially requested the code signing. For example, some product manufacturers or developers can attempt to comply with export control regulations such as the United States Export Administration Regulations (“EAR”), by storing final signed code images at a software repository where they can be managed and controlled. By doing so, the signed code images can be centrally managed and access to them can be restricted. For example, developers can be restricted from accessing final signed code images and loading them into products that will cross national boundaries until proper export licenses have been obtained.
Some entities have attempted to have signed code images automatically submitted to a designated software repository by changing the code signing server's configuration such that signed code images produced by the code signing server are sent to the software repository instead of returning them to the devices that actually requested code signing. However, this solution requires changes to the code signing server itself, which may affect proper operations in alternate situations where it is permissible for signed code to be returned directly to the device that requested it. Moreover, in some situations a user that requested code signing may not be notified when the code signing is complete if the code signing server is configured to send the signed code it produces to a different location instead of back to the original requesting user.
What is needed is a system and method for submitting code images to be signed, such that resulting signed code images are stored at a software repository before being accessible by authorized users.